SymWest: What’s Old Is Still Trouble, Says Security Expert
By John San Filippo
Cybersecurity expert Jim Stickley, CEO of Stickley on Security, has long been a staple of the credit union speaking circuit. He’s built his reputation telling audiences about the latest threats and vulnerabilities, often demonstrating them in real time. However, when he was preparing for his presentation at the SymWest conference in early May, he took a different approach.
As he recounted to the audience, he was discussing possible topics with his wife when she made an interesting observation. “Over the years, you’ve demonstrated all sorts of vulnerabilities,” she noted. “Did those things all get fixed or are they still a mess?”
Admitting that many of these topics were still “a mess,” Stickley decided to focus on some threats that, unfortunately, have withstood the test of time.
Stickley first focused on the practice of registering mistyped domain names for malicious purposes, a.k.a., typosquatting. “Let's say I wanted to go to facebook.com, but I accidentally type facwbook.com because the W is right next to the E,” said Stickley, playing a prerecorded browser session for the audience.
“The first thing you see is one of these security warning types of things,” said Stickley, describing what was on the presentation screen. “That seemed aggressive enough, but when I tried to close the window, it took over the whole screen and started talking to me,” which was reflected in the recording. The voice from the computer warned Stickley not to shut down or restart the computer, urging him instead to call a “technical support” number.
As Stickley then pointed out, financial institutions are not immune to typosquatting. Said Stickley, “We’re at a credit union conference, so why not make fun of banks? So, I pulled up the Forbes 2022 list of top 100 banks. Right there at the top was Home Bancshares.” He said a little research showed that the public-facing bank for Home Bancshares is Centennial Bank.
“What I decided to do was make a scam website that would basically be ripping off people that were going to Centennial's real site,” said Stickley. Using a mistyped domain name he’d registered, he showed how he created a site that actually pulled in code from the real Centennial site. “If they change their code and hit an update, it's live on my site,” he noted.
The one difference is that he created an overlay that replicated the username and password fields. When the user attempted to enter that information, they’d be presented with one of those all-too-common “we don’t recognize your device” messages and asked to enter their full name and full Social Security number. All this information would be emailed to Stickley and the unsuspecting user’s second attempt to log in would be successful.
Stickley said that there are simple measures Home Bancshares could take to prevent this specific type of activity, but it’s also important to mitigate typosquatting in general. He urged attendees to try mistyping their own URLs in various ways, assuring they’d be shocked by what they might find.
Fake Financial Institutions
According to Stickley, it’s not uncommon for scammers to set up seemingly complete online banks – and he had examples to prove it. He proceeded to show the website of Online Valley Bank, navigating around so the audience could see it had all the common features of an FI website. There was an “About Us” section with an FI history, a “Contact Us” page, an account login, among other common pages. The site even performed well in organic Google rankings.
There was just one problem. Although the “About Us” page boasted a 130-year history, their domain name wasn’t registered until last summer. Smelling trouble, Stickley copied a section of text from the “About Us” page and Google searched it in quotation marks, meaning the same exact words had to appear in the same exact order.
Sure enough, the text had been copied from a real bank that had been around online since 1999.
Stickley then showed the website of First Canyon Bank, an institution that claimed to date back to 1945. However, the domain name wasn’t registered until March, 2022.
“First Canyon Bank is not a real bank either. They do not exist. They're in no way real, but they have another real site that looks very, very legitimate,” said Stickley. “When you go to it, all the stuff seems completely normal.” Stickley went to another fake bank site, Googled some text copied from there, and displayed a long list of equally fake banks that all shared the same wording. Some on Stickley’s list were fake credit unions, too.
A Huge and Never-Ending Problem
“There's just so much of this stuff out there. Just the little parts that I talked about today. You can't prevent everything, but you can kind of keep your finger on the pulse,” admonished Stickley. “The more you're aware of this stuff and the more you make sure your members are aware of this stuff, the less risk you're going to face.”